Two Critical 0-Day Remote Exploits for vBulletin Forum Disclosed Publicly (Version 5)

highlander29

Enthusiast
Joined
Nov 3, 2013
Messages
183
What the heck?

"The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company."
 

Fillip H.

Developer
Joined
Mar 13, 2006
Messages
208

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
6,968
So it’s been known for over a week and they are only fixing it “soon”?
That's what vBulletin support are claiming but the OP linked report states:

The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company.
 

Fillip H.

Developer
Joined
Mar 13, 2006
Messages
208
That's what vBulletin support are claiming but the OP linked report states:

The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company.
True, but in this case I see no reason to believe the original report over vB Support as I do not know anything about the person or persons behind Beyond Security. Benefit of the doubt and all that :)

So I chose to write my post in the most favourable light for IB, which is still pretty bad.
 

Alfa1

Administrator
Joined
May 28, 2007
Messages
3,881
The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company.
I remember a similar thing happened with previous major security exploits. vb only patched after publication of zero day. IIRC it was in 2015 when a wave of forums got hacked. This was one reason why I left vbulletin. I really didn't feel comfortable that vbulletin had my back. On the contrary.
 

WD

Enthusiast
Joined
Mar 24, 2010
Messages
243
Damn I just heard about this. I wanted to roast vBulletin again. I see they're still idiots and don't care about customers. Let's hope IB gets sued by outraged vB customers.

ai.imgur.com_gzBv1jY.gif

BirdOPrey5 you still work at vB? can a fix be expected before Christmas? or the muppets in charge awaiting the site to be hacked for the millionth time? or are they just rolling in cash while not caring still?
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,854
I see all the usual nonsense in this thread.
Unless you know how VB processes work then you have no basis to make comments like "they're still idiots and don't care about customers"

Anyone can claim they tried to make contact, I could open my window and shout out of it at vB support and claim "I tried to make contact".

Once an exploit has actually been reported, it requires time to investigate it, replicate it, decide how to fix it (without breaking anything else, or introducing more issues) then it has to be tested, it has to be back ported to at least 3 previous versions, tested on them as well, and then all the work to actually package it up and release it.

Anyone who thinks this is a five minute job is utterly clueless.

(and no, I dont have any particular love for IB anymore, I just cannot abide people making uninformed, attacking, comments).
 

VICE

tool
Joined
Jun 8, 2013
Messages
2,735
tried to make contact
This has been on my mind since the first time I read this thread. It's amazing that even after two million years has passed, some people are still hating IB so much that their hatred completely impairs their reasoning. It's not surprising also that most of these remnant haters happens to be third party developers whilst the actual former customers had moved on a long time a go.

But what does "tried to contact" actually mean here? Was it a responsible disclosure? Was there any monetary demand? What caused the "no response" from IB? These are the questions that interest me the most instead of the typical IB bashing circle-jerk.
 
Last edited:

I A 1

Enthusiast
Joined
Jun 7, 2015
Messages
135
Viewing Who's Online today I noticed several guests trying to access something like the following:
Code:
https://www.domain.com/index.php?id=1%27%7C%7C%28SELECT%20%27ayRR%27%20WHERE%209663%3D9663%20OR%20EXP%28%7E%28SELECT%20%2A%20FROM%20%28SELECT%20CONCAT%280x7171627a71%2C%28SELECT%20%28ELT%281334%3D1334%2C1%29%29%29%2C0x71627a6a71%2C0x78%29%29x%29%29%29%7C%7C%27
Was that related to this exploit? I am running vB4.
 

Ryan Ashbrook

IPS Developer
Joined
Jan 26, 2004
Messages
3,508
Viewing Who's Online today I noticed several guests trying to access something like the following:
Code:
https://www.domain.com/index.php?id=1%27%7C%7C%28SELECT%20%27ayRR%27%20WHERE%209663%3D9663%20OR%20EXP%28%7E%28SELECT%20%2A%20FROM%20%28SELECT%20CONCAT%280x7171627a71%2C%28SELECT%20%28ELT%281334%3D1334%2C1%29%29%29%2C0x71627a6a71%2C0x78%29%29x%29%29%29%7C%7C%27
Was that related to this exploit? I am running vB4.
Not likely - often times, people will issue bots that make basic attempts at blind SQL Injections, so that is what you're likely seeing. I would look into the IP Address of the user and ban them at the server level, if they seem suspicious.
 

I A 1

Enthusiast
Joined
Jun 7, 2015
Messages
135
I found multiple IP addresses trying to make similar attacks at the same time. It doesn't seem practical to block so many IPs. What else can be done to block such attacks?
 

LeadCrow

Apocalypse Admin
Joined
Jun 29, 2008
Messages
6,465
I found multiple IP addresses trying to make similar attacks at the same time. It doesn't seem practical to block so many IPs. What else can be done to block such attacks?
You could start with your webhost's web firewall, since it will be a supported solution (like Imunify360).

Cloudflare can block a lot of malicious traffic and mitigate the performance loss from bots visiting or DDOSing your site. It's a handy first defense.
 

I A 1

Enthusiast
Joined
Jun 7, 2015
Messages
135
Question & Answer for registration.
They don't register.

You could start with your webhost's web firewall, since it will be a supported solution (like Imunify360).

Cloudflare can block a lot of malicious traffic and mitigate the performance loss from bots visiting or DDOSing your site. It's a handy first defense.
I am on self managed VPS, so I am all on my own. I am not using cloudflare either.

So far I have tried using iptables with the following rule but it seems this doesn't block them out.
Code:
iptables -I INPUT -p tcp --dport 443 -m string --to 170 --algo bm --string 'GET /index.php/?id=1' -j DROP
Tried adding another rule for port 80 with no luck. I got this from the tutorial here: https://blog.nintechnet.com/how-to-block-w00tw00t-at-isc-sans-dfind-and-other-web-vulnerability-scanners/


Any security expert here who can help?
 

Alfa1

Administrator
Joined
May 28, 2007
Messages
3,881
My site is under attack almost any day of the year, so here are my suggestions based upon my experience with vbulletin:
Asides from LeadCrow 's excellent suggestion to add cloudfare, consider to install these addons:
vb bad behavior to automatically block bad users and bots. It saved my ass many times.
vbsecurity so that you can add many levels of protection (2FA) and get alerted about anything suspect.

Also block IP ranges at server level.

LiteSpeed Web Server may be an idea as it offers a good set of security settings to automatically ban suspect users. I always was very happy with it when running vbulletin.

And ofcourse add directory passwords through .htaccess for anything that needs to be secured. Especially admincp and modcp
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,854
What actual issue are they causing you ?

You can never stop attempted attacks, unless you block everyones access, which would be rather pointless.

At the end of they day, they are not actually getting anywhere, just loading a few useless pages.
You should consider if spending all this time and effort in trying to block them is really worth all the effort.
 
Top